windylam
v1.0.0Collect and locally process ride-sharing receipts from Gmail into structured data and SQLite for spending and behavior insights, ensuring privacy.
⭐ 1· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description ask for Gmail receipt collection, local extraction, and CSV export. Declared binaries (gog, python3), required env vars (OpenClaw gateway token/URL/model), and included scripts directly match that purpose. No unrelated credentials, binaries, or external services are requested.
Instruction Scope
SKILL.md and code clearly instruct fetching full receipt emails via the gog CLI and saving them to data/ride-insights/emails.json, then sending the raw per-email JSON/HTML to a local loopback Gateway (/v1/responses) for extraction. The skill documents and enforces asking the user for account selection and confirmation before extraction, and explicitly restricts Gateway hosts to localhost/127.0.0.1/::1. This behavior is expected for the stated purpose but important to note: raw receipt HTML/JSON is sent to a local model and emails.json persists on disk until deleted.
Install Mechanism
No remote install/downloads or package installs are declared; this is an instruction-only skill with bundled scripts that rely on existing gog and python3 binaries. That is low-risk and proportionate to the task.
Credentials
Declared environment variables (OPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_MODEL) are directly required for calling the local Gateway. The skill also accepts a local config fallback (~/.openclaw/openclaw.json) as documented. No unrelated secrets are requested.
Persistence & Privilege
The skill writes local artifacts (emails.json, rides.json, rides.sqlite, exported CSV) under data/ride-insights and reads ~/.openclaw/openclaw.json for Gateway auth as documented. always is false and it does not modify other skills or system-wide agent configs. Autonomous invocation is allowed by default but not exceptional here.
Assessment
This skill appears to do exactly what it says: it uses the gog CLI to fetch ride receipts from a selected Gmail account, stores the raw email JSON/HTML locally, sends that raw payload to a Gateway model running on localhost for extraction, and loads the extracted records into a local SQLite DB and anonymized CSV. Before installing/run it: (1) ensure you have and trust a local OpenClaw Gateway instance (the skill refuses non-local hosts), (2) confirm you are comfortable with raw receipt HTML/JSON being written to data/ride-insights/emails.json and sent to the local model, (3) protect the OPENCLAW_GATEWAY_TOKEN and the ~/.openclaw/openclaw.json file, (4) review and delete emails.json if you do not want the raw receipts to persist, and (5) ensure the gog CLI is authenticated only for the account(s) you intend to process. If you need remote/external extraction or do not want raw emails written to disk, do not install or run this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk97fb4h2f5c2fj80zw3hns968x84ap8r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsgog, python3
EnvOPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_MODEL